CN1262095C - Communications system - Google Patents

Communications system Download PDF

Info

Publication number
CN1262095C
CN1262095C CN01817225.3A CN01817225A CN1262095C CN 1262095 C CN1262095 C CN 1262095C CN 01817225 A CN01817225 A CN 01817225A CN 1262095 C CN1262095 C CN 1262095C
Authority
CN
China
Prior art keywords
external server
client interface
local terminal
network
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN01817225.3A
Other languages
Chinese (zh)
Other versions
CN1470119A (en
Inventor
斯蒂芬·迈克尔·里德
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tandeboge Telecom UK Limited
Original Assignee
Ridgeway Systems and Software Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ridgeway Systems and Software Ltd filed Critical Ridgeway Systems and Software Ltd
Publication of CN1470119A publication Critical patent/CN1470119A/en
Application granted granted Critical
Publication of CN1262095C publication Critical patent/CN1262095C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2514Translation of Internet protocol [IP] addresses between local and global IP addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2517Translation of Internet protocol [IP] addresses using port numbers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2521Translation architectures other than single NAT servers
    • H04L61/2535Multiple local networks, e.g. resolving potential IP address conflicts
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/256NAT traversal
    • H04L61/2564NAT traversal for a higher-layer protocol, e.g. for session initiation protocol [SIP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/102Gateways
    • H04L65/1043Gateway controllers, e.g. media gateway control protocol [MGCP] controllers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1101Session protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1101Session protocols
    • H04L65/1106Call signalling protocols; H.323 and related
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/30Definitions, standards or architectural aspects of layered protocol stacks
    • H04L69/32Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
    • H04L69/322Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
    • H04L69/329Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the application layer [OSI layer 7]

Abstract

The present invention relates to a communications system 1 for handling communications sessions, for example multimedia calls or voice calls. The communications system comprises a local terminal 10, an external server 40, a proxy interface agent 11 between the terminal 10 and a shared network 20. The communication means includes a NAT function 32 through which the communications session must pass. The communications session is carried over the network over one or more logical channels between the terminal 10 and the external server 40, during which the first NAT function 32 applies network address mappings on the terminal's transport addresses 14. The proxy interface agent 11 acts on behalf of the terminal in communications with the external server and establishes a logical channel on an outbound connection to the server that serves as a control channel between the proxy interface agent and the server. The proxy interface agent establishes dynamic outbound connections to the server, and in response to a request from the server, makes one or more associations between the terminal's transport address(es) and identifiable logical channel(s) between the proxy interface agent and the server. These identifiable logical channel(s) are established on one or more of the dynamic outbound connections from the proxy interface agent to the server.

Description

Communication system
Technical field
The present invention relates to a kind of communication system of handle communication sessions, for example handle the communication system of multimedia call or audio call.
Background technology
The application proposes a kind of invention, and the end points (using such as H.323, the real-time protocol (RTP) of SIP or MGCP) that allows to be arranged in different safety and special I P data network can intercom mutually and can not damage the data confidentiality and the data security of each dedicated network.The method and apparatus that the present invention relates to have with existing safety function for example fire compartment wall etc. and with fire compartment wall, router and acting server in NAPT (network address port conversion) the cooperative advantage of function that may exist.Benefit of the present invention be to save these equipment of upgrading be complete agreement (for example H.323) that comply with expense additional agreement vigilance (protocolaware) (for example H.323) equipment of configuration.The invention that provides in this application is applicable to those configurations that can use simply (1 couple 1) NAT (network address translation) mapping at the edge of dedicated network, and/or the configuration of the edge application NAPT that is applicable at dedicated network (network address and port translation).These 2 kinds of configurations can coexist, and equipment can allow to communicate by letter between the dedicated network of following a kind of configuration and the dedicated network of following another kind of configuration.In single dedicated network, some terminals can be used a kind of configuration (for example dedicated chamber system) similarly, and other terminal can be used second kind of configuration (for example desk-top client's personal computer).Notice that the NAT among the Ben Wenben is meant all types of network address translation.
The present invention who provides among the application with reference to International Telecommunication Association (ITU) H.323 standard describe because it is the main standard that is used for real-time multimedia communication on the packet network of IP network comprising.Yet the present invention is applicable to too and need dynamically distributes port to transmit other standards or the method for bidirectional information (for example IETF session initiation protocol (SIP)).Main benefit of the present invention is that dedicated network infrastructure (fire compartment wall and router) does not need to know the agreement that is used for real time communication, and the method for advancing and go out the tunnel real time business of dedicated network also can be that agreement is unknowable.This make enterprise can be under the situation of not considering agreement configuration device.Say nothing of for safety or some equipment of other reasons " agreement " check can be provided.
Fast-developing IP (Internet protocol) data network is being that multimedia and voice communications services provider create new chance and challenge.Responsible Telecom Facilities and telecommunications company of future generation and service provider are just carrying out unprecedented investment in the data network trunk.Simultaneously, the broadband access technology such as DSL and cable modem is that customer group has brought internet at a high speed to insert widely.Service provider's eyesight is to use the IP data network to transmit new voice, video and data service in the desktop, office and the family that insert along internet at a high speed.
H.323 standard is useful in based on the multimedia communication on the packet network, but does not guarantee quality of service.Independently basic transmission network and agreement have been designed.The IP data network is acquiescence and ubiquitous Packet Based Network now, and it all is to carry out in the IP data network that major part H.323 (if not all) is implemented.Be used for other agreement of (voice and video) communication in real time, for example SIP and MGCP also use the IP data network to carry out the transmission of call signaling and medium.Also the expectation exploitation transmits the New Deal of relevant new application with real-time voice and video in the IP data network.The method that the present invention proposes also is applicable to them, and is applicable to other agreement of the multiple service traffics of individual session requirement.
If the terminal from different manufacturers can be operated in intercommunication, the importance that is used for the standard of wide model communication so is the basis.In the multimedia field, in the Packet Based Network (for example IP data network) the current standard of real time communication be itu standard H.323.H.323 be ripe relatively at present standard, obtain comprising support such as the multimedia communication industry of Microsoft, CISCO and INTEL Corp..For example, the personal computer of estimation 75% has been installed NetMeeting (trade mark) program of Microsoft.NetMeeting be used for that multimedia (voice, video and data) communicates by letter H.323 comply with software application.Also realized at present from the intercommunication operability between the equipment of different manufacturers.The company that surpasses 120 global ranges has participated in the up-to-date intercommunication operability activity of being sponsored by international multimedia telecommunications federation (IMTC), and international multimedia telecommunications federation is the independent agency that promotes the intercommunication operability of multimedia telecom equipment.This activity is regular activity, allows the problem of manufacturer's check and solution interoperability.
So far, there are a lot of obstacles obtaining multimedia (particularly video) communication aspects in a large number.Use easily, quality, expense and communication bandwidth are all hindering the growth in market.In the technological progress of video coding, ubiquitous cheap IP inserts and the current investment combination in data network has been alleviated most of problem with the release of the DSL of ISDN and cable modem, thereby makes multimedia communication easily obtain using.
Owing to H.323 be defined as standard, suppose there is H.323-H.320 gateway that they are positioned at and will H.323 be converted to the edge of network domains H.320, are implemented in the transmission on the wide area between the private network.Therefore, the enforcement H.323 by IP concentrates on the communication in the single network.
Yet it is favourable that IP continues to find as wide area protocol.Increasing tissue continues their total data network is based upon on the IP.The access, the Intranet of management, the VPN(Virtual Private Network) that are based upon the high-speed Internet on the IP basis are general.The trend of IP is to reduce the situation that H.320 becomes multi-media protocol.The demand in market is H.323 to replace H.320 with IP-based fully.But perhaps passing through WAN (wide area network) is voice by the staple market actuating force that IP transmits real time communication.Employing such as H.323 with the standard of SIP, the user has brought into use their computer that the internet is used for cheap audio call.This indicates the beginning of IP-based brand-new voice (VoIP) industry, and this industry is just seeking to comprise Ethernet Phone, IP PBX, and all of soft handover and IP/PSTN gateway are connected the development of the new VoIP product of transmission VoIP seamless between enterprise and the user.H.323, SIP and MGCP expect to become the leading standard here.
Unfortunately, still exist for real world, H.323 with the unforeseen technology barrier of the wide area of SIP configuration.These technology barriers relate to the communications infrastructure on IP data network border.
Therefore, multimedia or Vo IP successful communication implement all to be limited in Intranet or dedicated management IP network at present.
Because two kinds of IP technology-network address translation (nat)s and fire compartment wall cause a lot of problems.Fail safe also is a problem when considering to address these problems.The configuration of the real time communication on data network is by shared network (for example public the Internet), and enterprise must guarantee not take place to damage their Information Security.Open anyone (voice communication generally includes everyone) that communicates to enterprise's expectation of the external world of the current solution request enterprise of these problems or outside ip address.The invention that this paper proposes does not suffer this defective, and the service provider knows because enterprise's outside ip address only needs ' trusty ', and Here it is, and why public the Internet develops on a large scale.
Introduced the problem that NAT solves ' address shortage '.Any end points in the IP network or " main frame " all have " the IP address " of that end points of identification, so that packet can correctly send or be routed to this end points and the grouping that receives from this end points can be identified from their originating location.When limiting IP address field, nobody can predict the dramatic growth of bench device.After the development of global ip for many years, just recognize and want to use the end points quantity of IP protocol communication will be above the quantity of the unique ip address that may derive from address field.In order to increase address field and to make the more address can be with requiring the entire I P infrastructure of upgrading.(industrial just the plan adopts IPv6 to handle these problems at some points).
Present solution is called NAT.First NAT solution is called simple NAT among the IETF RFC1631, it uses man-to-man mapping, result from before the World Wide Web (WWW) occurs, only need proceed to the communication of mechanism outside at that time in-house several main frames (for example e-mail server, file delivery service device).NAT allows enterprise to set up private IP network, and each end points in this IP network in that enterprise only has the unique address of this enterprises, but is not globally unique address.These addresses are private ip address.This just makes in-house each main frame and this in-house any other main-machine communication (for example address).For the communication of outside, need a public or globally unique IP address.At the edge of private IP network network is the equipment with nat feature, and it is responsible for the mutual conversion of public ip address and private ip address.Enterprise will have the one or more public addresses that belong to this enterprise exclusively, but need be less than the public address of host number usually, this or because only need several main frames to carry out PERCOM peripheral communication or and because the negligible amounts of PERCOM peripheral communication simultaneously.The more complex embodiments of NAT has the public ip address storehouse, and these public ip addresses are dynamically distributed to the main frame that need carry out PERCOM peripheral communication on the basis of First Come First Served.Externally equipment need send uncalled grouping to requiring fixing network address rule under the situation of specific internal unit.
Current, most of dedicated networks use the private ip address in the 10.x.x.x address realm.PERCOM peripheral communication is normally passed through the service provider, and this service provider provides service through IP network management or that share or through public the Internet.Border between public network and dedicated network, using NAT is unique address in the IP network of packet process with address modification.Simple NAT changes the entire I P address according to man-to-man mapping, this man-to-man mapping can be fix or dynamically set up for the time of communication session.
Web page server, mail server and external server all are the examples of main frame, and they need the static mapping of NAT one to one so that allow PERCOM peripheral communication to be switched to them.
The result of NAT is that the private ip address of main frame is outside sightless.This has increased safe rank.
A plurality of ports of conversion mapping are additionally used in the expansion of simple NAT, and are commonly referred to NAPT (network address port conversion) or PAT (port address conversion).The end that the point-to-point transmission of each port identification between 2 main frames connects.Utilize a large amount of world wide web (www)s that insert, occur the situation of public ip address deficiency once more, because present many desktop machines need communicate with the outside of private network.The solution of regulation allows the many-to-one mapping of private ip address to public ip address in IETF RFC 1631, thereby each connection that replaces entering into public shared network alive from special equipment all uses the unique port on public ip address to distribute (each IP address has the unique port of 64k in theory).Because the growth of the Internet, PAT is common address conversion method.
The characteristic of PAT is dynamically to carry out the distribution of private ip address/port mapping to public ip address/port, and typically each special equipment carries out being connected with the departure of public network.The result of PAT is that data can not inboundly propagate, promptly from the public network to the dedicated network, unless the connection of departures link has in advance caused that such PAT distributes and existed.Typically, PAT equipment does not carry out lasting PAT distribution.After having stopped specific " quietness " period, promptly when for the connection of that departures beginning no longer during the data of reception of inbound, the PAT of that connection just distributes and no longer carries out and this port is freely distributed to new connection.
Communicate by letter when being more prone to when the computer that connects through public IP agreement and network make, public IP agreement makes that also the destruction of maintaining secrecy with fail safe is more prone to.Utilize the computer skill of relatively small amount just can enter in individual or the secret data and file, also can the malicious damage business information.Solution to this attack in the industry is with the border of firewall configuration at dedicated network.
Fire compartment wall is designed to the type of restriction or ' filtering ' IP operation that can pass through between special use and public IP network.Fire compartment wall can be in the restricted passage rule of youngster's level applications.Restriction can be applied in IP address, port, IP host-host protocol (for example TCP or UDP) or in application.Restriction is asymmetric.Typically fire compartment wall be programmed so that the communication from dedicated network (fire compartment wall inside) to public network (fire compartment wall outside) more than the communication of other direction.
The IP address that is applied to that firewall rule is appropriate is difficult.The main frame of any inside (being your personal computer) is connected to any external host (web server) that spreads all over the world possibly.In order to allow further control, the notion of using " well-known port " solves this problem.The end that the point-to-point transmission of port identification between 2 main frames connects." well-known port " is to transmit the port of the business of " known " type.The IANA of the Internet assignment numbers management organization stipulates a plurality of well-known port and in the type of these well-known port transport services.Port 80 designated webpage surfing (http protocol) business that are used for for example, port 25 is designated as simple Mail Transfer protocol etc.
The example of the firewall filtering rule of webpage surfing is:
Any implicit IP address/any port numbers can use TCP (transmission connection protocol) and HTTP (application protocol of webpage surfing) to be connected to any external IP addresses/port 80.
Connection is two-way so that business can flow back to from web page server on same-path.These main points are that this connection is to begin internally.
The example that is used for the firewall filtering rule of Email is:
Any outside ip address/any port numbers can use TCP and SMTP to be connected to IP address 192.3.4.5/ port 25.
(simultaneously, can to change purpose IP address 192.3.4.5 be the home address 10.6.7.8 of mail server to nat feature.)
Be equivalent to remove fire compartment wall such as the filtering rule of " any implicit IP address/any port numbers can be connected to any outside ip address/any port numbers of TCP or UDP, and vice versa " and directly be connected, because it is too wide filter with using.The rule that IT manager and disapprove are such.
H.323 independently basic network and host-host protocol have been designed to.Yet H.323 enforcement is possible according to the conversion of following cardinal principle in IP network:
H.323 address: IP address
H.323 logic channel: the TCP/UDP port connects
In IP-based enforcement H.323, H.323 protocol message uses TCP or UDP host-host protocol to send as the Payload in the IP bag.Many H.323 message comprise and start end points or purpose end points or comprise the H.323 address of this two-end-point.Other signaling protocol such as SIP also is embedded in the IP address of the Payload of signaling protocol.
Yet problem appears at the apparent IP address (and port) that nat feature will change the source and destination main frame, and does not change the H.323 address in the Payload H.323.Because main frame uses the H.323 address that exchanges in the Payload H.323 and packet and this calling of relevant each reception of port, this feasible H.323 agreement interruption, and need average information to handle H.323 Payload address.
Because H.323 the complexity of multimedia communication requires to open a plurality of logic channels between end points.Call out control, capacity exchange, audio frequency, video and data and all need logic channel.In only relating to the simple point-to-point H.323 Multimedia session of audio frequency and video, need 6 logic channels at least.In IP realization H.323, the port that logic channel is mapped to TCP or UDP connects, and many channels wherein all dynamically distribute.
When firewall functionality filtered out professional in the port that is not having application rule, perhaps this fire compartment wall was open, and this makes the effect of fire compartment wall lose efficacy, perhaps majority H.323 business can not pass through.
Therefore, H.323 NAT between end points and firewall functionality all stop the communication work of (and other real-time protocol (RTP)s, as SIP and MGCP).This is arranged in the situation of different dedicated networks when end points typically, when an end points be in private network and another end points be in the internet time or when end points be situation at different IP network managements.
Therefore H.323 (and SIP, MGCP etc.) communication is very disadvantageous for fire compartment wall.Fire compartment wall must become H.323 as can be known or in the middle of some intelligence must handle the distribution of port in the mode of safety.
A kind of solution of this problem is whole H.323 infrastructure upgrading of IP.This requirement:
● in the upgrading H.323 of the nat feature on each IP network border.Nat feature must scan all H.323 Payloads and as one man change the IP address.
● in the upgrading H.323 of the firewall functionality on each IP network border.Fire compartment wall must be understood and monitor that H.323 all communicate by letter, so that it can be opened the port that dynamically distributes and must filter all non-business H.323 at these ports.
● adopt H.323 intelligent to resolve and the arbitration address on the border or in share I P network.IP is seldom directly used by the user address.Be actually the another name that uses the IP address.Need the intelligently parsing another name to be the IP address.This H.323 functional packet be contained in the H.323 entity that is called road junction guarder (Gatekeeper).
The shortcoming of this possible solution is:
● each mechanism/dedicated network must have the H.323 upgrading of the same levels of communication of existence.
● upgrading is expensive.Must buy, plan and adopt new function or new equipment.H.323 the IT manager must learn.
● along with adopting technology progressively, require than the original bigger and more expensive initial configuration of (perhaps testing) demand, the scale of this configuration can not promptly be applicable to the demand to it.
● continuous analysis H.323 packet has increased the burden of stand-by period to resolve simple NAT and firewall functionality to the signal of each network boundary.The delay tolerance of audio frequency and video is very little.
● owing to there is the multiple standards of real time communication, and each signaling protocol of these standards is different, so enterprise needs multiple upgrading, and a kind of upgrading is used for and should wants every kind of agreement using in it.
● wish that media directly propagating between the enterprise or between the enterprise of public network and equipment.Such result makes the IP address of enterprise become public knowledge.It is compromise that this is considered to a kind of safety, because must at first find IP address as the enterprise of the first step of attacking as any potential assailant.
Since these problems, the multimedia communication when H.323 agreement is not used in fire compartment wall and/or network address translation (nat).A kind of method is at the public side of fire compartment wall and nat feature with system configuration H.323.This just allows them to use H.323, also allows them to protect the remainder of its network simultaneously.The shortcoming of this method is:
1. the most of ubiquitous equipment that is used for video communication is the desktop PC.It is very absurd that all desktop computers all are configured in public side.
2. can not protect system H.323 to avoid assailant to the fire compartment wall public side.
3. owing to have only special-purpose system just to allow H.323 to communicate by letter, company can not utilize H.323 may ubiquitous characteristic.
4. the facility of the data sharing during H.323 company can not utilize fully, system will visit this data because H.323 fire compartment wall will stop.Open fire compartment wall and do not choose wantonly, because this will allow the assailant to use H.323 system as relaying to allow carrying out data converting function from system H.323.
5. in emerging IP-based voice (VoIP) market, has the market of the telephone plant of direct connection data network, for example Ethernet Phone or IP private branch exchange.Rely on desk-top characteristic, they typically are placed in fire compartment wall and the NAT dedicated network afterwards.Need not the solution to the variety of issue of narrating above, use the phone of these equipment to be limited in enterprise-specific net or the Intranet, perhaps this phone must arrive the external world by the IP-PSTN gateway.
Use broadband connection enterprise to realize that the advantage of voice and video and data communication requires the security solution to these problems.
Cisco systems white paper " Deploying is Applications in cisco Networks H.323 ", SamKohta, 1998, the interaction between NAT and the H323 agreement has been discussed.Can use fire compartment wall to be decoded in all addresses of passing through in the agreement H.323 and change, perhaps can use the accessory of agency, only allow to pass through according to the information flow of agreement H.323 as fire compartment wall.
H.323 the various schemes of implementing have been discussed in this piece article, promptly be entitled as " ITU-Tstandardization activities for interactive multimedia communications on packetbased networks:H.323 and related recommendations ", J.Toga and J.Ott, ComputerNetworks 31 (1999) 205-223.
Summary of the invention
The objective of the invention is to address these problems.
Therefore, the invention provides the communication system of the session communication of a kind of processing and purpose communication system, it comprises: first local terminal in first network; First external server in second network; One or more logic channels between first local terminal and first external server are used for transmitting the communication session of common share communication network; And the device of carrying out nat feature, communication session must be carried out the device of nat feature by this, wherein:
A) this first local terminal has the transport address that at least one is used for this communication session;
B) device of this execution nat feature is applied to network address mapping on the transport address that is connected between first local terminal and the shared communication network;
C) this system comprises the client interface agency, first local terminal that this client interface agency representative is communicated by letter with first external server;
D) this client interface agency is setting up logic channel to one or more departures connections of first external server, and described logic channel is as the control channel between the client interface agency and first external server;
Wherein:
E) this client interface agency connects described departures that to build be that dynamically departures connect;
F) but this client interface agency is related with the foundation of recognition logic interchannel in the transport address of first local terminal, wherein but the recognition logic channel is acted on behalf of in the one or more described dynamic departures connection of first external server but described recognition logic channel is based upon from client interface between the client interface agency and first external server.
According to the present invention, a kind of method of handling communication session in the communication system also is provided, this communication system comprises first local terminal in first network, first external server in second network, client interface agency between first local terminal and shared communication network, and the device of carrying out nat feature, this communication session must be by this device of carrying out nat feature, and wherein this method may further comprise the steps:
A) at the communication session that transmits on the one or more logic channels between first local terminal and first external server on the common share communication network, this first local terminal has the transport address that at least one is used for communication session;
B) make the device of carrying out nat feature will be mapped in the network address on the transport address continuously and be applied in being connected between first local terminal and the shared communication network;
C) first local terminal of using client interface agency representative to communicate by letter with first external server;
D) use the client interface agency to connect in the one or more departures to first external server and set up logic channel, described logic channel is as the control channel between the client interface agency and first external server; The method is characterized in that and may further comprise the steps:
E) the dynamic departures of using the client interface agency to be established to first external server connect;
F) but use the client interface agency to set up one or more related with the recognition logic interchannel in the transport address of first local terminal, but be somebody's turn to do the recognition logic channel between the client interface agency and first external server, described discernible logic channel is based upon the one or more described dynamic departures of acting on behalf of first external server from client interface and connects.
The logic channel sum provides communication session, and necessary NAT mapping has been created in the departures connection, and this NAT mapping can be carried out inbound and outbound traffic flow between this terminal and this external server.But the communication of travelling to and fro between first local terminal is mapped on the recognition logic channel pellucidly by first client interface agency.External server and purpose communication system communicate, just look like it be first terminal.Therefore this communication system can be used to be provided at transparent communication means between first terminal and this purpose communication system, and this external server is responsible for transmitting forward communication.
In order to allow inbound communication, set up two-way departures in advance and connect to set up the NAT mapping by TCP.
In order to allow inbound communication, send detection packet and set up the NAT mapping by UDP.
During communication session, first nat feature continue to use the network address to be mapped to being connected between first client interface agency and the external server.
Use common multiplexing technique, but the recognition logic channel can be multiplexed to one or more connections.
The example of a transport address is that the IP address adds port numbers.Therefore, the normally mapping of IP address and/or port of the mapping of the network address.
In embodiments of the invention, the first client interface proxy response is set up described association from the request of external server.
In another embodiments of the invention, the first client interface proxy response is set up described association by the request that this first client interface agency self produces.
External server itself (selectively be first client interface agency) is but also related in foundation between the described recognition logic channel of communicating by letter between this external server and this purpose communication system and this logic channel applicable to this external server of request, and this purpose communication system is such as the destination terminal.
The transport address of first local terminal is preferably dynamically distributed.Same, the transport address of this external server also can dynamically be distributed.
Selectable, the transport address of this external server can dynamically not distributed.
This communication system can comprise first fire compartment wall, and communication session must pass through this fire compartment wall.This first fire compartment wall is configured to be limited in communicating by letter of particular type between first local terminal and this common share communication network then, but is not limited in communicating by letter between first client interface agency and this external server.
At least one transport address of this external server can have at least one port of allocating (being sometimes referred to as " known ") in advance.Then, act on behalf of the described pre-assigned port of departures connection use of this external server from first client interface.
Preferably, the transport address of all external servers all has pre-assigned port, and the described departures of acting on behalf of this external server from first client interface connect the transport address that all is connected to external server.In this case, the transport address of possible all external server has two pre-assigned ports at the most.
The number of the pre-assigned port of this external server can be less than or equal the sum that dynamic assignment is given the port of terminal.For example, this external server can have three pre-assigned ports, and one is used for TCP, and two are used for UDP.
This communication system can comprise second local terminal, and this external server is the acting server between first terminal and second terminal, and it is as the agency of each terminal to another terminal during communication session.
In many cases, can have second local terminal of second fire compartment wall and/or second nat feature, this communication session must pass through this second nat feature.Second fire compartment wall then can be configured to be limited in the communication of particular type between second terminal and the public communication network.This external server then has the logic communication port that is used for a plurality of terminal communications, and for example, these terminals comprise the one or more pre-assigned port that communicates with second terminal.Second fire compartment wall then can be configured to be not limited in communicating by letter between the pre-assigned port of second terminal and this acting server, and second client interface agency is used to represent second terminal action of communicating by letter with this external server.Communication session with second client interface agency can be carried out according to the similar approach of narrating above in this second local terminal.
In addition, second terminal and second client interface agency can be connected to second external server.External server communicates by public or shared network.
The common share communication network generally includes public communication network and/or internet.
Client interface the agency can be co-located on the local terminal, or selectively, the client interface agency can be away from the local terminal.
Have each client interface agency that the present invention also is useful under the situation of local local terminal more than.The client interface agency can represent the terminal action of using identical or different real-time (or non real-time) agreements simultaneously, for example uses H.323 and Session Initiation Protocol.(for example H.323 and between the SIP) is preferably disposed on this external server or client interface agency's inside on the signaling gateway function.
Additional feature or function (for example service quality and/or the fail safe by encrypting) can offer end points pellucidly by client interface agency and external server.
This system of H.323 standard according to International Telecommunications Union can be used to carry out voice or multimedia calling.Selectively, this system can be used to carry out voice or multimedia calling according to the SIP standard of internet engineering task group.This system and method also can use the non real-time agreement to be used for setting up through fire compartment wall and NAT the communication session of other types, for example file transmits, so that make its function relate to the logic channel that dynamic foundation is discerned by the transport address, these transport addresses are addresses that do not have change that described NAT stays.And this communication system can be supported the protocol environment that mixes.
Client interface the agency can be co-located on an end points (for example PC terminal), perhaps can reside in the equipment that separates that leaves end points, its representative action.
These terminals can be fit to send and/or receive multimedia media signal and relevant multimedia control signal, and control signal is sent to a pre-assigned port, and media signal is sent to other pre-assigned port.
Preferably, at least one logic communication port is pre-assigned port, and the described request initial request of communication session to start with sends to pre-assigned port.
This communication system goes for carrying out voice or to the multimedia call of small part through the internet, in this case, this external server has a public internet protocol address, communicate by letter with this external server by one or two terminal of this address, configuring firewalls is not limited in communicating by letter between the pre-assigned port of terminal and this external server.
The present invention can be applicable under the situation with the first one or more pairs of terminals and second terminal.For example, can be connected to other second voice or multimedia terminal separately in several first voice of a website or multimedia terminal in the correspondence of a plurality of other positions.
Two terminals that the present invention allows to be arranged in dedicated network separately are through public public (or sharing) network service, and a side or two sides' dedicated network is connected to public network through the fire compartment wall and/or the NAT of the communication of restriction particular type in public network.Similarly, the present invention allows terminal in the dedicated network and the terminal communication in the public network, and wherein these two networks are that fire compartment wall and/or NAT by the communication of restriction particular type connects.
The present invention only narrates with reference to the operation between first end points and intermediate server, and first end points is called first local terminal here, and intermediate server is called external server.Reflected operation between first terminal and external server in the operation between second terminal and the external server.In addition, be directly connected to the position of public network in second terminal, this is equivalent to and is connected to dedicated network, and wherein fire compartment wall and NAT implement the zero power energy.That is, fire compartment wall does not limit any connection, and the NAT connection of using the identical address of both sides to be used to specify.
The configuration that the present invention relates to the configuration of the external server in shared or public network and in dedicated network, entrust interface proxy.This external server can be had and operated by public service provider, therefore typically adopts H.232 enterprise to provide before through the communication of private/public networks border in hope.The client interface agency can be used as the part of terminal and implements, and perhaps it can be independent of the terminal realization, but operates on the equipment identical with terminal, and perhaps it can be installed in the independent equipment.
When starting, the TCP that the client interface agency will be established to external server connects.If fire compartment wall and/or NAT one or both of exist, this connection is through fire compartment wall and/or NAT.This requires fire compartment wall to allow the address of external server and the TCP that goes out to net of well-known port to be connected.The mapping (vice versa) that NAT can provide the specific address to arrive public address is because this connection is set up in outbound direction.As a part of setting up process, external server can be differentiated oneself with the client interface agency, and this connection can be encrypted.The agreement of operation permits the multiplexed of multiple signaling protocol on this connects.H.245 and SIP H.225RAS such signaling protocol comprise, call signaling H.225, but is not limited in this.In fact, this connects for being communicated by letter between first local terminal and the external server all is enough, and the performance characteristics that TCP connects is acceptable.In case set up connection, except periodic log-on message, multiplexed connection keeps resting state with major part, till carrying out outgoing or calling call attempt.For other fail safe, this connects foundation serially and disconnects at interval with certain (weak point).The different port that each establishment of connection can be created nat feature potentially distributes and new encryption key.Thereby the assailant utilizes the chance of this connection to reduce.
Yet the transmission characteristic of multiplexed connection also is not suitable for real-time media such as audio frequency and video.These require RTP/RTCP based on UDP to be connected between client interface agency and the external server to set up.Inbound and departures the RTP/RTCP connection request in the UDP of this both direction business.For media is sent to public network from terminal through external server, H.232 external server sends message and acts on behalf of to client interface with the media of indicating this terminal to send it to terminal (using multiplexed connection through this client interface agency).(this H.232 process that can use standard by fill with address and port value (populating) H.232 each data field of message carry out, provide this terminal and client interface agency and be the illusion at the two ends of H.232 calling out) then the client interface agency must set up by fire compartment wall and/or NAT and arrive and from the UDP message exchange of external server.
This client interface agency can be connected with the UDP that known port is established to external server to the address of external server by sending the UDP message bag simply in principle.Fire compartment wall can be configured to allow this business to pass through, and NAT can set up the mapping of specific address to public address, because this connection is set up in outbound direction.Yet the equipment (such as external server) of handling a plurality of callings that relate to many UDP connections typically uses IP destination address and port, and/or IP source address is relevant with suitable calling with UDP information with port.Under the situation of this external server, all UDP messages must send to identical IP address and a known port, so that allow these data through fire compartment wall.Therefore, the IP destination address can be used for distinguishing various UDP with port and is connected.And, from the angle of this external server, NAT will be responsible for assigning for the UDP message that sends effectively at random IP source address and port.The result is that the IP source address and the port that arrive this external server will not correspond to any media channel that this external server (perhaps being the client interface agency) has been consulted by each signaling channel.
For solving this relevant issues, external server (perhaps being the client interface agency) indication client interface agency (through the multiplexed connection based on TCP) uses identical IP source and destination address and port to send detection packet to it, and the client interface agency will send the UDP message subsequently of this connection.This detection packet comprises unique token of being selected by this external server (perhaps being the client interface agency), and it allows this external server with the detection packet of reception and suitable UDP join dependency.Then, this external server can be with IP source and destination address and the port and the UDP join dependency of detection packet.After having known this address and port information, this external server can be relevant with suitable calling with the UDP message that receives with these addresses and port subsequently, this suitable calling make it can correctly send to/from this purpose communication system.In another embodiment of the present invention, token information can be multiplexed with each the UDP message bag that sends.In addition, the multichannel logic channel can multiplexing in identical UDP connection.The advantage that adopts a kind of method in back is the port utilization of saving in the client interface agency.Second advantage is to reduce by the shared bandwidth of UDP heading message, and this heading message sends in each RTP/RTCP grouping usually.Because the logicality road is multiplexed, when using more a spot of TCP to be connected with UDP, those connections can be arranged on client interface Agency's pre-assigned or known port.This makes firewall rule tightr.
In order to send data to the client interface agency from external server, just must in NAT, carry out the mapping of public address to the specific address.Because this is the typically mapping of one-to-many, NAT typically can not dynamically carry out such mapping.Yet, as can be seen, when being actually two-way at the network path that carries out setting up when the departures UDP that acts on behalf of external server from client interface as described above connects.Therefore, for the UDP that sets up agency from the external server to the client interface connects, according to setting up the same steps as of acting on behalf of the UDP connection of external server from client interface.Yet in case set up the relevant of address and port, this external server uses this information to send UDP message rather than receives UDP message.Then, the client interface agency sends UDP message to this terminal.H.232 it is that this terminal prepares to receive the UDP message from the client interface agency that the signaling of the address that use is fit to and the standard of port value can be used to.
As has been described, first client interface agency and external server provide a kind of communication system and method, and it can make first terminal communicating by letter by the NAT that do not change and fire compartment wall and purpose communication system.This realizes by following steps:
A) revise address in this agreement (H.232, SIP etc.) so that this terminal and the first client interface agent communication, just look like it be the purpose communication system, and this purpose communication system communicates by letter with external server, just look like it be first terminal; With
B) dynamically carry out 1) logic channel and 2 that uses by first terminal) but act on behalf of recognition logic interchannel relevant of external server from first client interface, but described recognition logic channel be in the dynamically departures connection of acting on behalf of external server from first client interface with 3) externally logic channel foundation between server and the purpose communication system.
Can be undertaken by external server, first client interface agency or the two modification of the address in this agreement.No matter when carry out described modification, all request and the instructions that need communicate by letter between first client interface agency and external server are so that can carry out described dynamical correlation.Transmit in these requests and the client-server protocol of instruction between first client interface agency (client) and external server (server), described client-server protocol transmits on control channel, and it also can connect in the departures of acting on behalf of external server from first client interface transmits.
When revise the address that external server is responsible for carrying out this agreement, think that first client interface agency is the main device of client-server protocol, and this external server is a subordinate.
When the two carried out protocol modification when first client interface agency and external server, they can consult or be configured to one was main device, and another is a subordinate.
Connect the identical transport address that can arrive owing to be used for the one or more departures from first client interface agency of one or more callings at this external server, and described departures connect the randomized one or more NAT of source address by making that departures connect, therefore, the detection packet that comprises known identifier is used to set up described departures and connects, and described identifier (vice versa) between first client interface agency and external server exchanges.Described identifier makes external server can finish it and need correctly send this and call out/relevant from this purpose communication system.
The present invention will narrate by example and with reference to accompanying drawing.
Description of drawings
Fig. 1 is the schematic diagram that carries out the communication system of voice or multimedia call according to the present invention between two enterprises, and wherein this client interface agency is common placement with end points;
Fig. 2 is and the similar schematic diagram of Fig. 1, except this client interface is acted on behalf of away from this end points; With
Fig. 3 is the schematic diagram of the communication system of Fig. 1 and Fig. 2, is presented in the departures connection to be used to set off and inbound logic channel of communicating by letter, in the enterprise of these logic channels between local terminal and external server.
Embodiment
With reference to proposing in the example of Fig. 1 narration to the whole H.232 replacement scheme of upgrading.Fig. 1 shows to have the communication system 1 of first enterprise 2 and second enterprise 4, they each comprise private network 6,8, these two private network all have one or more H.232 terminals 10,12.Each private network 6,8 has the private ip address that meets in the 10.x.x.x address realm.Private ip address 14,16 can produce from static allocation or dynamic assignment by common DHCP program.In private network 6,8, comprise client interface agency 11,13, GC group connector 10,12 actions respectively.If client interface agency not have to place jointly with their terminal separately, this client interface agency will have in they interior unique IP addresses of scope of dedicated network 14,16 separately so.In this case, each client interface agency 11,13 can represent multiplex terminal 10,12 actions.In Fig. 1, the client interface proxy table is shown common placement, and they are expressed as and are not common placement in Fig. 2.PERCOM peripheral communication through sharing, management or public internet 20 carries out.For carrying out PERCOM peripheral communication, first enterprise 2 has one or more public IP addresses 22, and for example in the scope that 192.1.1.1 begins, and second enterprise 4 has one or more public IP addresses 24, for example in the scope that 206.1.1.1 begins.Each enterprise has router three 2,34, be used for network address port is changed the IP address 14 that (NAPT) is applied in inside, 16 and the dynamic mapping between the port numbers of the port numbers in these addresses (special use) and external IP addresses 22,24 and the IP address (public) selected.
Private network 6,8 is selectively protected with firewall functionality 26,28 on their borders.Firewall functionality is configured with the rule shown in the form 1, to allow such as based on H.232 real time communication.Two or more new well-known port that these rules have proposed in having considered to invent in early days is called X, Y and Z.Port Z can be equivalent to X or Y in practice.
Table 1:
Rule From the IP address From port To the IP address To port The IP agreement 2 use
1 Any Any External server Z TCP The multiplexed connection of setting off
2 External server Z Any Any TCP Inbound multiplexed connection
3 Any Any External server X UDP Departures media (RTP)
4 External server X Any Any UDP Inbound media (RTP)
5 Any Any External server Y UDP Departures media (RTCP)
6 External server Y Any Any UDP Inbound media (RTCP)
In table 1, ideally according to the port numbers X that lists by the standard recording of IANA agreement, the port numbers of Y and Z.Advantage with these ports of industrial standard port is can know that such as the intermediate equipment of fire compartment wall and router relevant media is a real time business, and can reasonably handle, for example router transmits so that reduce delay for its higher priority.
For make in first enterprise 2 H.232 terminal 10 can with second enterprise 4 in other H.232 terminal 12 communicate by letter, the shared network 20 that is connected with external server 40 must be arranged, for example connect through router three 8.External server has public IP addresses 44, for example is 45.6.7.8.External server also has new known port numbers X, Y and Z 46, and they must be agreed and registration by IANA in advance.
Fig. 3 shows the communication path between the various entities of watching from first terminal, 10, the first client interfaces agency's 11, the first fire compartment walls, 26, the first napt routers 32 and external server 40.This figure shows through fire compartment wall 26 and napt router 32 and is connected 51 in multiplexed between client interface agency 11 and the external server 40.In multiplexed connection 51 one or more logic channels 52,53.One of them is a control channel 52, and one other channel 53 transmits signaling protocols, such as H.225RAS, and call signaling H.225, H.245, SIP and MGCP.As the part of operation of narration below, client interface agency 11 sends to external server 40 with detection packet 55, and is based upon terminal 10 and is connected 56,57 with UDP between the external server 40.One or more logic channels can be multiplexed to UDP and connect 56,57, so that transmit the media such as RTP and RTCP.
Client interface agency 11 can require to operate with one of various modes according to operation.In principle it can be the unknowable or agreement of agreement as can be known.If it is unknowable that it is an agreement, external server 40 will order client interface agency 11 to open and close the UDP socket of any needs.This is a pattern the most flexibly, because its allows to adopt the terminal of New Deal to be increased in the dedicated network, and the client interface agency 11 that do not need to upgrade.Yet, there be not suitable looking after, when the third party opens the UDP channel for wrongful purpose indication client interface agency, this security threat will occur.For this reason, if adopt this pattern, advise that this client interface agency 11 carries out the examination of some forms at least.If client interface agency 11 be agreement as can be known, it can distribute port by external server 40 orders the time so, and need not carry out relay function till it observes the appropriate protocol signaling, just is being used to the application of permitting to indicate these ports.And, client interface agency 11 is that agreement is as can be known the time, do not need external server be agreement as can be known, because the client interface agency has all intelligence now, carry out necessary being correlated with according to this intelligence request external server, so that it can be provided at the correct forwarding between logic channel and the purpose communication system (for example calling out), these logic channels are to be based upon from client interface to act on behalf of in the connection of departures of external server.This pattern is safer, but considers that employing new application or application upgrade are then more dumb.For for simplicity, suppose in the example of narrating below that client interface agency 11 is in the unknowable pattern operation of agreement.
When starting client interface and act on behalf of 11, is connected to the address of external server 44,46 and the departures TCP of port by beginning, it sets up multiplexed connection 51 as the communication channel that arrives external server 40.(typically this connection is checking and encrypts, but these contents exceed the application's scope.)
Multiplexed connection 51 can transmit the information that belongs to a plurality of TCP and UDP session 52,53.Some logic channels in multiplexed connection 51 distribute statically, and particularly control channel 52.Other logic channel can dynamically be set up when needing occurring.Some logic channels 53 are transferred to terminal 10 by client interface agency 11 or transfer from terminal.Utilize each this logic channel/client interface agency 11 (or depend on be embodied as external server) to be correlated with IP address and port that between client interface agency 11 and terminal 10 use specific T CP or UDP be connected.In other words, client interface agency carries out in the transport address of terminal relevant with between the transport address of its inherent logic channel one end.
As the part of initial configuration, external server 40 can indicate client interface agency 11 to set up a plurality of sockets, with the outgoing call of intercepting log-on message and coming self terminal 10.
If terminal 10 is attempted subsequently to gateway or server registers, this message (H.225RAS, SIP register etc.) can send to client interface agency 11.Client interface agency 11 is forwarded to external server 40 through logic channel 52 or 53 with this registration message.Use reverse route to send all responses.External server 40 is with the transport address of the multiplexed connection 51 of storage terminal dedicated transmissions address 14 and identifier or reception registration.When needing occurring, this information enough arrives this terminal with the calling call forward.
In order to set up incoming call, external server 40 needs to set up through client interfaces agency 11 the calling control channel (H.323 or the H.225 calling of SIP control) of incoming terminal 10.If externally there is not suitable logic channel 53 in server 40 and client interface agency between 11, this logic channel is with the object lesson explanation.As the part of this process, the dedicated transmissions address of designated terminal (IP address and port) 14, TCP or UDP that client interface agency 11 will be established to this dedicated transmissions address connect.The message that need set up logic channel 53 use control logic channel 52 externally server 40 exchange between acting on behalf of 11 with client interface.
-the dawn is set up the logic channel that is used for call control signalling, and H.323/SIP external server 40 can send sets up call information (foundation H.323, the invitation of SIP etc.) to client interface agency 11.The client interface agency then uses TCP or UDP connection 54 to give terminal 10 with this forwards, and TCP or UDP connect 54 and set up when creating logic channel 53.
Under situation H.323, externally may need between server 40 and the terminal 10 to set up H.245 to be connected.Address packet in the terminal that this connection will be connected to 10 are contained in by terminal 10 and send it back in the response to external server 40.If external server 40 selects to set up so H.245 session, it sets up new logic channel 53 to set up the mode identical with call signaling channel so.As the part of this process, client interface agency 11 will be established to the private ip address of appointment in the terminal response and the TCP of port is connected.
For outgoing call, when connecting and send establishment call information (foundation H.323, the invitation of SIP etc.), terminal 10 acts on behalf of at 11 o'clock to client interface, can between terminal 10 and external server 40, set up signaling paths.If there is not the logic channel 53 of this connection type in multiplexed connection 51, so this logic channel can use control channel 52 to be set up by client interface agency 11.Client interface agency 11 arrives external server 40 with message relay then.
If require the independent H.245 connection of outgoing call, external server 40 will be set up new logic channel 53 in multiplexed connection 51, and the receipts socket is detectd in indication client interface agency 11 foundation.The address of the socket of being set up and port value return to external server 40, and it is included in response, and this is set up in the H.323 signaling that sends in the message.This information makes terminal 10 can be connected to by what client interface agency 11 was created and detects the receipts socket.
In case set up the calling control path of required calling or outgoing, may need to set up departures and inbound media paths.The media paths of the IP-based multimedia application of all current definition as previously mentioned, (comprising H.323 SIP and MGCP) is all used RTP.RTP is based on UDP's, and unidirectional RTP connection request is set up forward direction and reverse UDP path.Therefore, need to set up from terminal 10 to external server 40 UDP path through client interface agency 11, and again through client interface agency 11 from external server 40 to terminal 10 UDP path.In addition, RTP and the RTCP connection request fixed relationship between the port that they use.Therefore, except can open the single port at every turn, it is right also must be able to open udp port, and this port is relevant to having necessary RTP/RTCP port numbers.Therefore, when following description was opened single connection, identical principle was applicable to asking simultaneously and to open port right.
H.323 agreement is used in following discussion supposition.The order of the relative control messages of protocol message can be different for other agreements (such as SIP and MGCP), but principle is identical.
In order to be based upon the UDP path between terminal 10 and the external server 40, external server 40 indication client interfaces agencies 11 10 udp ports that can connect (or port to) that open a terminal.External server 40 is also specified a token, and client interface agency 11 is with this token and this join dependency.
Success open port the time, client interface agency 11 gives the signs of external server 40 these ports of indication.Then external server can send required signaling command so that open media channel (as the H.245 open logical channel under in situation H.323), this channel package is contained in private ip address and the port on the client interface agency 11, and terminal 10 sends to client interface agency 11 with its UDP message.When receiving this order, use to be used for the connection that this purpose is set up in advance, client interface is acted on behalf of this command auto repeat to this terminal.
Terminal 10 can begin to send RTP now and RTCP UDP message bag 56 acts on behalf of 11 to client interface.Yet, transmitting these packets before the external server 40, client interface agency 11 must transmission detection packet 55, when this detection packet 55 is included in this connection of initial configuration by the token of external server 40 appointments.Specific address in being based upon NAPT is to the mapping of public address, and the existence of token allows external server 40 that UDP message bag 57 is relevant with correct logic media channel, and UDP message bag 57 is from the information source reception of these detection packet 55.Notice that preferably long as far as possible extension sends detection packet 55, if they send prematurely, the map addresses of founding in NAT so may be overtime before sending any media data 56.And, must know that when being UDP, detection packet 55 may be lost.Therefore need have the ability that sends more than one detection packet 55 for the connection of appointment.In case sent detection packet 55, the client interface agency can be relayed to external server 40 (as project 57) with the UDP message 56 that receives.Selectively, token information can be multiplexed to each the UDP message bag that is sent out.In addition, the multichannel logic channel can be multiplexed to one or more UDP connections.
Method of operating is connected similar with inbound UDP.External server 40 indication client interfaces agency 11 opens and can be used for sending UDP message to the port of terminal 10 (or port to).The sign of client interface agency 11 notice external servers 40 these ports.40 of external servers can be included in this information in the specific signaling command of agreement, so that open the media channel (for example H.245 open logical channel under situation H.323) that sends to terminal 10 through client interface agency 11.Terminal 10 will be replied this order, for this connection provides its private ip address and port that will receive UDP message.This message relay is got back to external server 40.External server 40 can be notified the client interface agency 11 pairs of addresses that the relaying UDP message is wanted in this connection then.And, in order to set up public address among the NAT to the mapping of specific address, external server 40 request client interfaces agencies 11 for this connection transmission detection packet 55 to the external server 40 that comprises token.This has just set up the mapping of specific address to public address, can be used as the mapping of the public address of the data that in the opposite direction send to the specific address conversely.External server 40 uses the token in the detection packet 55 to determine that session 57 hereto should send UDP message to that NAT address and port.External server 40 can begin to send the UDP media now to this address.NAT is relayed to client interface agency 11 with this address, and it arrives terminal 10 (as project 56) in this address of relaying again, thereby finishes this connection.
When no longer needing UDP to connect, external server 40 will indicate client interface agency 11 to close relevant socket.When not having data to pass through them, any specific address among the NAT is finally overtime to the mapping of public address.
In this explanation of the present invention, we suppose that external server is the single equipment with single IP address.In other embodiments of the invention, ' external server ' can be a plurality of crew-served equipment.In addition, external server equipment can each all have one or more IP address.In the place of using a plurality of IP address, common practice is to distribute them from the single subnet network, and then the programming of firewall rule becomes to specify and arrives and from the port of the permission of sub-network, rather than single IP address.
Notice that H.323 the private ip address of terminal in fact can be identical with the public ip address and the port numbers of its mapping with port numbers, mapping is transparent in this case.
The advantage of the method for narrating above is:
● NAT and firewall functionality do not need to upgrade.
● the stand-by period of signal keeps minimum.
● mechanism only needs the unknowable client interface agency of agreement, and client interface the agency can use with any suitable real-time protocol (RTP).
● the IP address of enterprise can publicly not known by calling out to become with this enterprise.
● service quality and other can be implemented by part ground based on the policy of using (for example broadband application), and do not need the solution end to end of single unanimity.For example, external server can indicate the client interface agent processes else to call out an interior media flow having specific QOS level, use is suitable for the method that is connected between client interface agency and the external server, and external server can be mapped to it its available corresponding QOS rank in the core network.Equally, method of encrypting can use client interface agency with safety device between, have nothing to do with the security mechanism of the miscellaneous part that is used for this calling (branch line).
In a word, the invention provides the method and system of H.323 (or end points of other real-time protocol (RTP)s adaptations) terminal that allows to be arranged in the private IP network network: needn't take into account existing security process and measure; Do not need the existing fire compartment wall of upgrading, router and agency; And allow whole NAT all to be applied in the IP connection, need not to translate or understand the nat feature of employed communication protocol.Use one to share or public IP network, the H.323 equipment that the present invention also allows the standard in a dedicated network through agreement independently the client interface agency and again through acting server H.323 with in identical or different special-purpose and/or public IP network other H.323 terminal communicate.
Therefore the shared resource in the share I P network can be subscribed by mechanism.Cost keeps minimum and fail safe is without prejudice.

Claims (27)

1. the communication system of the communication session of processing and purpose communication system, it comprises: first local terminal in first network; First external server in second network; One or more logic channels between first local terminal and first external server are used for transmitting the communication session of common share communication network; And the device of carrying out nat feature, communication session must be carried out the device of nat feature by this, wherein:
I) this first local terminal has the transport address that at least one is used for communication session;
Ii) the device of this execution nat feature is applied to network address mapping on the transport address that is connected between first local terminal and the shared communication network;
Iii) this system comprises the client interface agency, first local terminal that this client interface agency representative is communicated by letter with first external server;
Iv) this client interface agency is setting up logic channel to one or more departures connections of first external server, and described logic channel is as the control channel between the client interface agency and first external server;
It is characterized in that:
V) this client interface agency connects described departures that to build be that dynamically departures connect;
Vi) but this client interface agency sets up related in the transport address of first local terminal with the recognition logic interchannel, wherein but the recognition logic channel is acted on behalf of in the one or more described dynamic departures connection of first external server but described recognition logic channel is based upon from client interface between this client interface agency and first external server.
2. method of handling communication session in the communication system, this communication system comprises first local terminal in first network, first external server in second network, client interface agency between first local terminal and shared communication network, and the device of carrying out nat feature, this communication session must be by this device of carrying out nat feature, and wherein this method may further comprise the steps:
I) at the communication session that transmits on the one or more logic channels between first local terminal and first external server on the common share communication network, this first local terminal has the transport address that at least one is used for communication session;
Ii) make the device of carrying out nat feature will be mapped in the network address on the transport address continuously and be applied in being connected between first local terminal and the shared communication network;
First local terminal of iii) using client interface agency representative to communicate by letter with this first external server;
Iv) use the client interface agency to connect in the one or more departures to this first external server and set up logic channel, described logic channel is as the control channel between the client interface agency and first external server;
The method is characterized in that and may further comprise the steps:
V) using the client interface agency to set up is connected with the dynamic departures of this first external server;
But vi) use the client interface agency to set up one or more related with the recognition logic interchannel in the transport address of first local terminal, but be somebody's turn to do the recognition logic channel between client interface agency and this first external server, act on behalf of in the one or more described dynamic departures connection of this first external server but described recognition logic channel is based upon from client interface.
3. method according to claim 2, wherein the client interface proxy response is set up described association from the request of first external server.
4. method according to claim 2, wherein described association is set up in the request that himself produces of client interface proxy response.
5. according to the described method of any claim of claim 2 to 4, but wherein this first external server itself or this first external server of client interface proxy requests are set up related between described recognition logic channel and the logic channel of communicating by letter with the purpose communication system.
6. method according to claim 5, wherein this communication system is included in the client-server protocol on the control channel, it is characterized in that:
Client-the server protocol of control channel be used to start (a) logic channel of the communication of using by first local terminal with act on behalf of at client interface and this first external server between (b) but the dynamically associating of recognition logic channel, with dynamically associating at (c) logic channel of communicating by letter between this first external server and the purpose communication system,. but described recognition logic channel is based upon from client interface and acts on behalf of in the one or more described dynamic departures connection of this first external server, thereby this first local terminal is positioned at the transport address of this first external server, and this purpose communication system is positioned at client interface agency's transport address.
7. method according to claim 6, wherein further comprising the steps of: the main external server that first external server is configured to client-server protocol, and be modified in the transport address of transmitting in the real-time or non real-time agreement, this first local terminal and client interface agency communicate, the client interface agency is connected with first local terminal as the purpose communication system, and makes this purpose communication system use the connection protocol of first local terminal of communicating by letter with first external server.
8. method according to claim 6, wherein further comprising the steps of: that the client interface proxy configurations is held in the palm interface proxy for the head of a committee of client-server protocol, and be modified in the transport address of transmitting in the real-time or non real-time agreement, this first local terminal and client interface agency communicate, the client interface agency is connected with first local terminal as the purpose communication system, and makes this purpose communication system use the connection protocol of first local terminal of communicating by letter with first external server.
9. method according to claim 8, wherein the transport address of first local terminal is a dynamic assignment.
10. method according to claim 9, wherein the transport address of this first external server is dynamically distributed.
11. method according to claim 9, wherein all transport addresses of this first external server are static allocation.
12. method according to claim 11, wherein this communication system comprises fire compartment wall, communication session must pass through this fire compartment wall, this firewall restriction the communicating by letter of particular type between first local terminal and shared communication network, but be not limited in communicating by letter between client interface agency and this first external server.
13. method according to claim 12, wherein at least one transport address of this first external server has at least one pre-assigned port, and acts on behalf of the described pre-assigned port of departures connection use of this first external server from client interface.
14. method according to claim 13, wherein all transport addresses of this first external server all have pre-assigned port.
15. method according to claim 14, wherein all transport addresses of this first external server have two pre-assigned ports at the most.
16. method according to claim 15, wherein all transport addresses of this client interface agency are all dynamically distributed.
17. method according to claim 15 is wherein acted on behalf of at least one transport address that the departures of external server connect from this client interface and is used pre-assigned port.
18. method according to claim 15 is wherein acted on behalf of all transport addresses that the departures of external server connect from this client interface and is all had pre-assigned port.
19. method according to claim 18, wherein this communication system comprises second local terminal in the 3rd network, and this first external server is the acting server between first local terminal and second local terminal, it during communication session for the agency of each terminal as another terminal.
20. method according to claim 18, wherein this communication system comprises second local terminal and second external server in the 3rd network, this second external server is as the agency of second local terminal, and communicating by letter between first external server and second external server is through public network or common share communication network.
21. method according to claim 20, wherein this common share communication network comprises this public communication network.
22. method according to claim 21, wherein this common share communication network comprises the internet.
23. method according to claim 22, wherein this client interface agency places with one of local terminal is common.
24. method according to claim 22, wherein this client interface agency is away from the local terminal.
25. method according to claim 24 wherein has more than one local terminal to be used for the client interface agency.
26. method according to claim 25, wherein the terminal action of different real-time and/or non real-time agreements is used in this client interface agency representative simultaneously.
27. method according to claim 26, wherein this first external server is represented terminal and/or the client interface agent actions that uses different real-time and/or non real-time agreements simultaneously.
CN01817225.3A 2000-11-30 2001-11-29 Communications system Expired - Fee Related CN1262095C (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB0029179A GB2369746A (en) 2000-11-30 2000-11-30 Communications system with network address translation
GB0029179.9 2000-11-30

Publications (2)

Publication Number Publication Date
CN1470119A CN1470119A (en) 2004-01-21
CN1262095C true CN1262095C (en) 2006-06-28

Family

ID=9904157

Family Applications (1)

Application Number Title Priority Date Filing Date
CN01817225.3A Expired - Fee Related CN1262095C (en) 2000-11-30 2001-11-29 Communications system

Country Status (11)

Country Link
US (2) US7512708B2 (en)
EP (2) EP1338127B1 (en)
JP (1) JP3757399B2 (en)
CN (1) CN1262095C (en)
AT (1) ATE301362T1 (en)
AU (2) AU2002218404B2 (en)
CA (1) CA2422764C (en)
DE (1) DE60112469T2 (en)
GB (1) GB2369746A (en)
HK (1) HK1055364A1 (en)
WO (1) WO2002045373A2 (en)

Families Citing this family (123)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100208634A1 (en) * 1994-10-11 2010-08-19 Arbinet Corporation System and Method For Managing Multimedia Communications Across Convergent Networks
US6738382B1 (en) * 1999-02-24 2004-05-18 Stsn General Holdings, Inc. Methods and apparatus for providing high speed connectivity to a hotel environment
US6980526B2 (en) 2000-03-24 2005-12-27 Margalla Communications, Inc. Multiple subscriber videoconferencing system
GB2362482A (en) * 2000-05-15 2001-11-21 Ridgeway Systems & Software Lt Direct slave addressing to indirect slave addressing
GB2365256A (en) 2000-07-28 2002-02-13 Ridgeway Systems & Software Lt Audio-video telephony with port address translation
GB2369746A (en) 2000-11-30 2002-06-05 Ridgeway Systems & Software Lt Communications system with network address translation
WO2002091692A1 (en) * 2001-04-13 2002-11-14 Girard Gregory D Ditributed edge switching system for voice-over-packet multiservice network
US20030018814A1 (en) * 2001-06-29 2003-01-23 Yung-Chung Kao Method of letting a single LAN port voice over IP device have network address translation function
US7006436B1 (en) * 2001-11-13 2006-02-28 At&T Corp. Method for providing voice-over-IP service
US7506058B2 (en) * 2001-12-28 2009-03-17 International Business Machines Corporation Method for transmitting information across firewalls
JP4659077B2 (en) * 2002-02-26 2011-03-30 株式会社リコー Mediation apparatus, image forming apparatus management system, image forming apparatus management method, image forming apparatus management program, and recording medium
US7480937B2 (en) 2002-02-26 2009-01-20 Ricoh Company, Ltd. Agent device, image-forming-device management system, image-forming-device management method, image-forming-device management program, and storage medium
US7280531B2 (en) * 2002-04-29 2007-10-09 Iwatsu Electric Co., Ltd. Telephone communication system
US7937471B2 (en) 2002-06-03 2011-05-03 Inpro Network Facility, Llc Creating a public identity for an entity on a network
US20030233471A1 (en) * 2002-06-17 2003-12-18 Julian Mitchell Establishing a call in a packet-based communications network
US20040047340A1 (en) * 2002-07-16 2004-03-11 Hanspeter Ruckstuhl Method for address conversion in packet networks, control element and address converter for communication networks
TW574805B (en) * 2002-07-25 2004-02-01 Leadtek Research Inc Network address translation system and method thereof
GB2391742B (en) * 2002-08-07 2004-07-07 Samsung Electronics Co Ltd Network adress translation router for voice over internet protocol system
US7152111B2 (en) * 2002-08-15 2006-12-19 Digi International Inc. Method and apparatus for a client connection manager
US8234358B2 (en) * 2002-08-30 2012-07-31 Inpro Network Facility, Llc Communicating with an entity inside a private network using an existing connection to initiate communication
AU2003276869A1 (en) 2002-09-09 2004-03-29 Netrake Corporation System for allowing network traffic through firewalls
CN100388709C (en) * 2002-11-28 2008-05-14 中兴通讯股份有限公司 A method for connecting from local area network
KR100511479B1 (en) * 2002-12-27 2005-08-31 엘지전자 주식회사 SIP service method in network with NAT
US7363381B2 (en) * 2003-01-09 2008-04-22 Level 3 Communications, Llc Routing calls through a network
US7020130B2 (en) * 2003-03-13 2006-03-28 Mci, Inc. Method and apparatus for providing integrated voice and data services over a common interface device
US7949785B2 (en) * 2003-03-31 2011-05-24 Inpro Network Facility, Llc Secure virtual community network system
US20040249973A1 (en) * 2003-03-31 2004-12-09 Alkhatib Hasan S. Group agent
US20040249974A1 (en) * 2003-03-31 2004-12-09 Alkhatib Hasan S. Secure virtual address realm
US7454510B2 (en) * 2003-05-29 2008-11-18 Microsoft Corporation Controlled relay of media streams across network perimeters
DE10329877A1 (en) * 2003-07-02 2005-01-27 Siemens Ag Method for operating a voice terminal at a remote PBX, communication device and voice terminal
CN1571440A (en) * 2003-07-25 2005-01-26 中兴通讯股份有限公司 A system and method for implementing multimedia call crossing private network
CN100440886C (en) * 2003-09-02 2008-12-03 华为技术有限公司 Method for realizing multimedia protocol passing through network address translation device
US7886348B2 (en) * 2003-10-03 2011-02-08 Verizon Services Corp. Security management system for monitoring firewall operation
US7421734B2 (en) * 2003-10-03 2008-09-02 Verizon Services Corp. Network firewall test methods and apparatus
US7853996B1 (en) * 2003-10-03 2010-12-14 Verizon Services Corp. Methodology, measurements and analysis of performance and scalability of stateful border gateways
US7886350B2 (en) 2003-10-03 2011-02-08 Verizon Services Corp. Methodology for measurements and analysis of protocol conformance, performance and scalability of stateful border gateways
TWI225740B (en) * 2003-10-06 2004-12-21 Inst Information Industry High-speed separating H.323 packet method
US7694127B2 (en) 2003-12-11 2010-04-06 Tandberg Telecom As Communication systems for traversing firewalls and network address translation (NAT) installations
CN100399768C (en) * 2003-12-24 2008-07-02 华为技术有限公司 Method for implementing NAT traversing and system thereof
US20050207433A1 (en) * 2004-01-09 2005-09-22 Camelot Technology Associates Ltd. Video communication systems and methods
FR2865335A1 (en) * 2004-01-16 2005-07-22 France Telecom Internal and external internet protocol terminals communication system, has control server that is provided in public IP network and that controls mediation system via communication channel passing via firewall
JP3835462B2 (en) * 2004-05-07 2006-10-18 松下電器産業株式会社 Information processing apparatus and bubble packet transmission method
SE534807C2 (en) * 2004-05-14 2011-12-27 Klap Worldwide Corp Trident Chambers Mobile communication network for providing a mobile station with a fixed IP address
EP1613024A1 (en) * 2004-06-29 2006-01-04 Alcatel Alsthom Compagnie Generale D'electricite Method and call server for establishing a bidirectional peer-to-peer communication link
TWI241808B (en) * 2004-07-28 2005-10-11 Realtek Semiconductor Corp Network address-port translation apparatus and method for IP fragment packets
CN1728628B (en) * 2004-07-30 2010-05-12 迈普通信技术股份有限公司 Multiplexing method of security proxy channel, and multiplexing server of security proxy channel
US9189307B2 (en) 2004-08-06 2015-11-17 LiveQoS Inc. Method of improving the performance of an access network for coupling user devices to an application server
US8437370B2 (en) 2011-02-04 2013-05-07 LiveQoS Inc. Methods for achieving target loss ratio
US8009696B2 (en) * 2004-08-06 2011-08-30 Ipeak Networks Incorporated System and method for achieving accelerated throughput
US9647952B2 (en) 2004-08-06 2017-05-09 LiveQoS Inc. Network quality as a service
US7953114B2 (en) * 2004-08-06 2011-05-31 Ipeak Networks Incorporated System and method for achieving accelerated throughput
US20060106929A1 (en) * 2004-10-15 2006-05-18 Kenoyer Michael L Network conference communications
US7545435B2 (en) * 2004-10-15 2009-06-09 Lifesize Communications, Inc. Automatic backlight compensation and exposure control
US8149739B2 (en) * 2004-10-15 2012-04-03 Lifesize Communications, Inc. Background call validation
US9781274B2 (en) * 2004-10-26 2017-10-03 Cisco Technology, Inc. Providing a proxy server feature at an endpoint
US7823196B1 (en) 2005-02-03 2010-10-26 Sonicwall, Inc. Method and an apparatus to perform dynamic secure re-routing of data flows for public services
US8037204B2 (en) * 2005-02-11 2011-10-11 Cisco Technology, Inc. Method and system for IP train inauguration
US20060190992A1 (en) * 2005-02-24 2006-08-24 Microsoft Corporation Facilitating Bi-directional communications between clients in heterogeneous network environments
US7543065B2 (en) * 2005-03-15 2009-06-02 Microsoft Corporation Method and system for reducing the number of ports allocated by a relay
CN100438693C (en) * 2005-03-21 2008-11-26 华为技术有限公司 Service access method for packet domain
WO2006116013A2 (en) * 2005-04-22 2006-11-02 Pandit Shrihari B Methods and systems for communicating voice, audio, video, text and/or multimedia data
CN100450111C (en) * 2005-04-25 2009-01-07 华为技术有限公司 System and method for interconnection between private network users and other networks with qualified business service
US7856504B2 (en) * 2005-05-11 2010-12-21 Sony Corporation Server device, inter-server device connection method, program, and recording medium
DE102005035733A1 (en) * 2005-07-29 2007-02-01 Siemens Ag Method for data exchange between network elements
US20070047699A1 (en) * 2005-08-29 2007-03-01 Nortel Networks Limited Separation of session and session control
WO2007040428A1 (en) * 2005-10-04 2007-04-12 Telefonaktiebolaget Lm Ericsson (Publ) Method for providing messaging using appropriate communication protocol
EP1952299A4 (en) * 2005-10-07 2010-10-13 Codeux Inc Port access using user datagram protocol packets
US9374342B2 (en) 2005-11-08 2016-06-21 Verizon Patent And Licensing Inc. System and method for testing network firewall using fine granularity measurements
US8027251B2 (en) 2005-11-08 2011-09-27 Verizon Services Corp. Systems and methods for implementing protocol-aware network firewall
FR2895621A1 (en) 2005-12-23 2007-06-29 France Telecom METHOD AND GATEWAY CONNECTING IP COMMUNICATION ENTITIES THROUGH A RESIDENTIAL GATEWAY
US8331263B2 (en) * 2006-01-23 2012-12-11 Microsoft Corporation Discovery of network nodes and routable addresses
KR100785307B1 (en) * 2006-02-01 2007-12-12 삼성전자주식회사 Redirection transport system and method in internet protocol private branch exchange
US9021134B1 (en) * 2006-03-03 2015-04-28 Juniper Networks, Inc. Media stream transport conversion within an intermediate network device
US20080002711A1 (en) * 2006-06-30 2008-01-03 Bugenhagen Michael K System and method for access state based service options
CN101132353A (en) * 2006-08-23 2008-02-27 华为技术有限公司 Signaling transmission method and device
US7706373B2 (en) * 2006-11-01 2010-04-27 Nuvoiz, Inc. Session initiation and maintenance while roaming
US8966619B2 (en) * 2006-11-08 2015-02-24 Verizon Patent And Licensing Inc. Prevention of denial of service (DoS) attacks on session initiation protocol (SIP)-based systems using return routability check filtering
US9473529B2 (en) 2006-11-08 2016-10-18 Verizon Patent And Licensing Inc. Prevention of denial of service (DoS) attacks on session initiation protocol (SIP)-based systems using method vulnerability filtering
US20080205388A1 (en) * 2007-02-22 2008-08-28 Microsoft Corporation Discovery of network devices logically located between a client and a service
JP4740898B2 (en) * 2007-05-31 2011-08-03 日本電信電話株式会社 Third-party call control (3PCC) system and 3PCC implementation method in an IP communication network having a plurality of IP address systems
US8302186B2 (en) 2007-06-29 2012-10-30 Verizon Patent And Licensing Inc. System and method for testing network firewall for denial-of-service (DOS) detection and prevention in signaling channel
US8522344B2 (en) * 2007-06-29 2013-08-27 Verizon Patent And Licensing Inc. Theft of service architectural integrity validation tools for session initiation protocol (SIP)-based systems
US8195806B2 (en) * 2007-07-16 2012-06-05 International Business Machines Corporation Managing remote host visibility in a proxy server environment
US9661267B2 (en) * 2007-09-20 2017-05-23 Lifesize, Inc. Videoconferencing system discovery
TW200915784A (en) * 2007-09-28 2009-04-01 D Link Corp Method of using a router as a relay proxy
JP4540720B2 (en) * 2008-04-02 2010-09-08 株式会社エヌ・ティ・ティ・ドコモ Data communication terminal, proxy device, data communication system, and data communication method
US8005098B2 (en) * 2008-09-05 2011-08-23 Cisco Technology, Inc. Load balancing across multiple network address translation (NAT) instances and/or processors
EP2166726A1 (en) * 2008-09-18 2010-03-24 Thomson Telecom Belgium A method and a gateway for providing multiple internet access
US8165077B2 (en) * 2008-09-26 2012-04-24 Microsoft Corporation Delegation of mobile communication to external device
US20100180334A1 (en) * 2009-01-15 2010-07-15 Chen Jy Shyang Netwrok apparatus and method for transfering packets
US8305421B2 (en) * 2009-06-29 2012-11-06 Lifesize Communications, Inc. Automatic determination of a configuration for a conference
JP4635095B2 (en) * 2009-06-30 2011-02-16 株式会社東芝 Communication system and server device thereof
US9167275B1 (en) 2010-03-11 2015-10-20 BoxCast, LLC Systems and methods for autonomous broadcasting
WO2012023886A1 (en) * 2010-08-17 2012-02-23 Telefonaktiebolaget L M Ericsson (Publ) NODE AND METHOD FOR AoIP ADDRESS CHANGE
WO2012096963A1 (en) 2011-01-10 2012-07-19 Fiberlink Communications Corporation System and method for extending cloud services into the customer premise
US10951743B2 (en) 2011-02-04 2021-03-16 Adaptiv Networks Inc. Methods for achieving target loss ratio
US9590913B2 (en) 2011-02-07 2017-03-07 LiveQoS Inc. System and method for reducing bandwidth usage of a network
US8717900B2 (en) 2011-02-07 2014-05-06 LivQoS Inc. Mechanisms to improve the transmission control protocol performance in wireless networks
US20130077618A1 (en) * 2011-09-23 2013-03-28 Cisco Technology, Inc. Expeditious resource reservation protocol
EP2803181A1 (en) * 2012-01-09 2014-11-19 Qualcomm Incorporated Cloud computing controlled gateway for communication networks
US8978126B2 (en) * 2012-10-29 2015-03-10 Blackberry Limited Method and system for TCP turn operation behind a restrictive firewall
CN103532935B (en) * 2013-09-28 2017-01-18 福建星网锐捷软件有限公司 Domain strategy-based P2P (Peer-to-Peer) streaming media transmission control method
CN104869065B (en) * 2014-02-26 2020-04-21 中兴通讯股份有限公司 Data message processing method and device
CN104869144A (en) * 2014-02-26 2015-08-26 联想(北京)有限公司 Information sharing method and electronic equipment
US20160072839A1 (en) * 2014-09-05 2016-03-10 Salesforce.Com, Inc. Facilitating dynamic management of participating devices within a network in an on-demand services environment
US10257159B2 (en) * 2014-12-04 2019-04-09 Belkin International, Inc. Methods, systems, and apparatuses for providing a single network address translation connection for multiple devices
US10063439B2 (en) 2014-09-09 2018-08-28 Belkin International Inc. Coordinated and device-distributed detection of abnormal network device operation
US20160072764A1 (en) * 2014-09-10 2016-03-10 T-Mobile Usa, Inc. Dynamic double network address translator
US10270840B2 (en) * 2015-01-01 2019-04-23 Bank Of America Corporation Modular system for holistic data transmission across an enterprise
CN104811473B (en) * 2015-03-18 2018-03-02 华为技术有限公司 A kind of method, system and management system for creating virtual non-volatile storage medium
WO2016176434A1 (en) * 2015-04-28 2016-11-03 Duke Manufacturing Co. System and apparatus for connecting kitchen components
US10038651B2 (en) 2015-09-05 2018-07-31 Nevion Europe As Asynchronous switching system and method
US10021589B2 (en) * 2016-01-26 2018-07-10 Sprint Communications Company L.P. Wireless data system that associates internet protocol ports with quality-of-service for user applications
US10154317B2 (en) 2016-07-05 2018-12-11 BoxCast, LLC System, method, and protocol for transmission of video and audio data
US10511521B2 (en) 2016-08-03 2019-12-17 Anchorfree Inc. System and method for virtual multipath data transport
US20180234506A1 (en) * 2017-02-14 2018-08-16 Gu Zhang System and methods for establishing virtual connections between applications in different ip networks
US10931720B2 (en) 2017-06-08 2021-02-23 Avaya Inc. IP tolerance and signaling interworking
US10938786B2 (en) 2017-12-01 2021-03-02 Twingate Inc. Local interception of traffic to a remote forward proxy
US10834138B2 (en) 2018-08-13 2020-11-10 Akamai Technologies, Inc. Device discovery for cloud-based network security gateways
CN109474667B (en) * 2018-10-12 2021-05-25 广州雷迅创新科技股份有限公司 Unmanned aerial vehicle communication method based on TCP and UDP
US10951589B2 (en) * 2018-12-06 2021-03-16 Akamai Technologies, Inc. Proxy auto-configuration for directing client traffic to a cloud proxy
JP7188046B2 (en) * 2018-12-14 2022-12-13 富士フイルムビジネスイノベーション株式会社 Communication system, communication device, communication system program and communication program
CN116346924A (en) * 2021-12-24 2023-06-27 北京字节跳动网络技术有限公司 Network request processing method, device, equipment and storage medium

Family Cites Families (68)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA1259430A (en) * 1985-07-19 1989-09-12 Fumio Akashi Multipoint communication system having polling and reservation schemes
US5301320A (en) 1991-06-28 1994-04-05 Digital Equipment Corporation Workflow management and control system
US5282222A (en) * 1992-03-31 1994-01-25 Michel Fattouche Method and apparatus for multiple access between transceivers in wireless communications using OFDM spread spectrum
US5337313A (en) * 1992-11-12 1994-08-09 Motorola, Inc. Method and apparatus for preserving packet squencing in a packet transmission system
EP0615198A1 (en) 1993-03-08 1994-09-14 International Business Machines Corporation Method for processing, handling, and presenting data pertaining to an enterprise in the form of a data model
US5781550A (en) 1996-02-02 1998-07-14 Digital Equipment Corporation Transparent and secure network gateway
DE69708281T2 (en) 1996-04-24 2002-05-16 Nortel Networks Ltd INTERNET PROTOCOL-FILTER
JPH10289479A (en) * 1997-04-10 1998-10-27 Tdk Corp Optical recording medium
US6273622B1 (en) * 1997-04-15 2001-08-14 Flash Networks, Ltd. Data communication protocol for maximizing the performance of IP communication links
US6473406B1 (en) 1997-07-31 2002-10-29 Cisco Technology, Inc. Method and apparatus for transparently proxying a connection
US6490620B1 (en) 1997-09-26 2002-12-03 Worldcom, Inc. Integrated proxy interface for web based broadband telecommunications management
US6058431A (en) * 1998-04-23 2000-05-02 Lucent Technologies Remote Access Business Unit System and method for network address translation as an external service in the access server of a service provider
US6175548B1 (en) * 1998-06-29 2001-01-16 Sony Corporation Optical recording medium and optical recording and reproducing apparatus
US6360265B1 (en) 1998-07-08 2002-03-19 Lucent Technologies Inc. Arrangement of delivering internet protocol datagrams for multimedia services to the same server
US6628629B1 (en) * 1998-07-10 2003-09-30 Malibu Networks Reservation based prioritization method for wireless transmission of latency and jitter sensitive IP-flows in a wireless point to multi-point transmission system
US6401128B1 (en) 1998-08-07 2002-06-04 Brocade Communiations Systems, Inc. System and method for sending and receiving frames between a public device and a private device
US6438597B1 (en) 1998-08-17 2002-08-20 Hewlett-Packard Company Method and system for managing accesses to a data service system that supports persistent connections
JP2000132855A (en) * 1998-10-27 2000-05-12 Matsushita Electric Ind Co Ltd Optical information recording and reproducing device
US6470020B1 (en) 1998-11-03 2002-10-22 Nortel Networks Limited Integration of stimulus signalling protocol communication systems and message protocol communication systems
US6182149B1 (en) * 1999-01-11 2001-01-30 3Com Corporation System for managing dynamic processing resources in a network
NO995081D0 (en) * 1999-10-18 1999-10-18 Ericsson Telefon Ab L M Device for H.323 proxy
US7120692B2 (en) 1999-12-02 2006-10-10 Senvid, Inc. Access and control system for network-enabled devices
US6677104B2 (en) * 2000-02-10 2004-01-13 Tdk Corporation Optical information medium
US6631417B1 (en) 2000-03-29 2003-10-07 Iona Technologies Plc Methods and apparatus for securing access to a computer
US7814208B2 (en) 2000-04-11 2010-10-12 Science Applications International Corporation System and method for projecting content beyond firewalls
US6631416B2 (en) 2000-04-12 2003-10-07 Openreach Inc. Methods and systems for enabling a tunnel between two computers on a network
US6996628B2 (en) 2000-04-12 2006-02-07 Corente, Inc. Methods and systems for managing virtual addresses for virtual networks
GB2365256A (en) 2000-07-28 2002-02-13 Ridgeway Systems & Software Lt Audio-video telephony with port address translation
US20020042832A1 (en) 2000-08-14 2002-04-11 Fallentine Mark D. System and method for interoperability of H.323 video conferences with network address translation
US7047561B1 (en) * 2000-09-28 2006-05-16 Nortel Networks Limited Firewall for real-time internet applications
GB2369746A (en) 2000-11-30 2002-06-05 Ridgeway Systems & Software Lt Communications system with network address translation
KR100360274B1 (en) 2000-12-30 2002-11-09 엘지전자 주식회사 Method for supporting general ip telephone system in nat based private network
US7155518B2 (en) 2001-01-08 2006-12-26 Interactive People Unplugged Ab Extranet workgroup formation across multiple mobile virtual private networks
US7631349B2 (en) 2001-01-11 2009-12-08 Digi International Inc. Method and apparatus for firewall traversal
AU2002234258A1 (en) 2001-01-22 2002-07-30 Sun Microsystems, Inc. Peer-to-peer network computing platform
US6928082B2 (en) 2001-03-28 2005-08-09 Innomedia Pte Ltd System and method for determining a connectionless communication path for communicating audio data through an address and port translation device
US6993012B2 (en) 2001-02-20 2006-01-31 Innomedia Pte, Ltd Method for communicating audio data in a packet switched network
US7173928B2 (en) 2001-02-20 2007-02-06 Innomedia Pte, Ltd System and method for establishing channels for a real time streaming media communication system
US7050422B2 (en) 2001-02-20 2006-05-23 Innomedia Pte, Ltd. System and method for providing real time connectionless communication of media data through a firewall
US20020138627A1 (en) 2001-03-26 2002-09-26 Frantzen Michael T. Apparatus and method for managing persistent network connections
US8363647B2 (en) 2001-04-03 2013-01-29 Voxpath Networks, Inc. System and method for configuring an IP telephony device
US7068647B2 (en) 2001-04-03 2006-06-27 Voxpath Networks, Inc. System and method for routing IP packets
US7272650B2 (en) 2001-04-17 2007-09-18 Intel Corporation Communication protocols operable through network address translation (NAT) type devices
US20030009561A1 (en) 2001-06-14 2003-01-09 Sollee Patrick N. Providing telephony services to terminals behind a firewall and /or network address translator
US20030033418A1 (en) 2001-07-19 2003-02-13 Young Bruce Fitzgerald Method of implementing and configuring an MGCP application layer gateway
WO2003019870A2 (en) 2001-08-24 2003-03-06 Peribit Networks, Inc. Dynamic multi-point meshed overlay network
US7321925B2 (en) 2001-09-18 2008-01-22 Intel Corporation Load balancing and fault tolerance for server-based software applications
US7302700B2 (en) 2001-09-28 2007-11-27 Juniper Networks, Inc. Method and apparatus for implementing a layer 3/layer 7 firewall in an L2 device
US7274684B2 (en) 2001-10-10 2007-09-25 Bruce Fitzgerald Young Method and system for implementing and managing a multimedia access network device
US20030084162A1 (en) 2001-10-31 2003-05-01 Johnson Bruce L. Managing peer-to-peer access to a device behind a firewall
US7379465B2 (en) 2001-12-07 2008-05-27 Nortel Networks Limited Tunneling scheme optimized for use in virtual private networks
US7013342B2 (en) 2001-12-10 2006-03-14 Packeteer, Inc. Dynamic tunnel probing in a communications network
US6860616B2 (en) * 2001-12-14 2005-03-01 Iq Hong Kong, Ltd. Ultraviolet light writing system
US7227864B2 (en) 2001-12-17 2007-06-05 Microsoft Corporation Methods and systems for establishing communications through firewalls and network address translators
US7152105B2 (en) 2002-01-15 2006-12-19 Mcafee, Inc. System and method for network vulnerability detection and reporting
US7257630B2 (en) 2002-01-15 2007-08-14 Mcafee, Inc. System and method for network vulnerability detection and reporting
US7664845B2 (en) 2002-01-15 2010-02-16 Mcafee, Inc. System and method for network vulnerability detection and reporting
US20030140142A1 (en) 2002-01-18 2003-07-24 David Marples Initiating connections through firewalls and network address translators
US7133368B2 (en) 2002-02-01 2006-11-07 Microsoft Corporation Peer-to-peer method of quality of service (QoS) probing and analysis and infrastructure employing same
US20030154306A1 (en) 2002-02-11 2003-08-14 Perry Stephen Hastings System and method to proxy inbound connections to privately addressed hosts
WO2003083692A1 (en) 2002-03-27 2003-10-09 First Virtual Communications System and method for traversing firewalls with protocol communications
US7243141B2 (en) 2002-05-13 2007-07-10 Sony Computer Entertainment America, Inc. Network configuration evaluation
US7676579B2 (en) 2002-05-13 2010-03-09 Sony Computer Entertainment America Inc. Peer to peer network communication
WO2003105010A1 (en) 2002-06-06 2003-12-18 Neoteris, Inc. Method and system for providing secure access to private networks
US6674758B2 (en) 2002-06-06 2004-01-06 Clinton Watson Mechanism for implementing voice over IP telephony behind network firewalls
US7143188B2 (en) 2002-06-13 2006-11-28 Nvidia Corporation Method and apparatus for network address translation integration with internet protocol security
US20030233471A1 (en) 2002-06-17 2003-12-18 Julian Mitchell Establishing a call in a packet-based communications network
US7277963B2 (en) 2002-06-26 2007-10-02 Sandvine Incorporated TCP proxy providing application layer modifications

Also Published As

Publication number Publication date
EP1511271A2 (en) 2005-03-02
EP1338127A2 (en) 2003-08-27
EP1511271A3 (en) 2012-04-11
HK1055364A1 (en) 2004-01-02
WO2002045373A3 (en) 2002-10-17
CA2422764A1 (en) 2002-06-06
CA2422764C (en) 2011-01-04
US20040028035A1 (en) 2004-02-12
ATE301362T1 (en) 2005-08-15
DE60112469T2 (en) 2006-06-14
GB0029179D0 (en) 2001-01-17
GB2369746A (en) 2002-06-05
WO2002045373A2 (en) 2002-06-06
JP2004515164A (en) 2004-05-20
AU2002218404B2 (en) 2006-09-07
US20090116487A1 (en) 2009-05-07
US8291116B2 (en) 2012-10-16
JP3757399B2 (en) 2006-03-22
CN1470119A (en) 2004-01-21
DE60112469D1 (en) 2005-09-08
US7512708B2 (en) 2009-03-31
AU1840402A (en) 2002-06-11
EP1338127B1 (en) 2005-08-03

Similar Documents

Publication Publication Date Title
CN1262095C (en) Communications system
EP1305927B1 (en) Audio-video telephony with firewalls and network address translation
US8244876B2 (en) Providing telephony services to terminals behind a firewall and/or a network address translator
US8204066B2 (en) Method for predicting a port number of a NAT equipment based on results of inquiring the STUN server twice
US7773580B2 (en) Apparatus and method for voice processing of voice over internet protocol (VoIP)
AU2002218404A1 (en) Communications system
US20070217408A1 (en) Address Resolution Device, Address Resolution Method, And Communication System Including The Same
CN101030865A (en) Network address conversion and/or firewall spanning platform, system and method
EP2026528B1 (en) Integrated internet telephony system and signaling method thereof
EP1687957B1 (en) Network-network interface for inter-operator service
CN1794698A (en) System of soft exchange network passing through firewall based on ALG+MP and its method
Cook Design of a Voice-Aware Firewall Architecture
Gatch IP PBX/Service Provider Interoperability
CONSTANTINESCU et al. Session borders controllers: next step in full deployment of voice over IP services

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C56 Change in the name or address of the patentee

Owner name: TANDERBERG TELECOMMUNICATION ENGLISH CO., LTD.

Free format text: FORMER NAME OR ADDRESS: RIDGEWAY SYSTEMS AND SOFTWARE LTD.

CP01 Change in the name or title of a patent holder

Address after: UK

Patentee after: Tandeboge Telecom UK Limited

Address before: UK

Patentee before: Ridgeway Systems and Software Ltd.

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20060628

Termination date: 20201129